b'                                                                                         Report No. 05-016\n                                                                                              March 2005\n\n\n                                            Security Controls Over the FDIC\xe2\x80\x99s Electronic Mail\n                                            (E-mail) Infrastructure\n\n                                            Results of Audit\nBackground and Purpose of                   IBM found that the FDIC had established and implemented\nAudit                                       many of the e-mail security controls recommended in federal\n                                            standards and guidelines such as e-mail encryption, software\nThe Federal Deposit Insurance\n                                            patch management, and a network architecture that protects\nCorporation (FDIC) Office of Inspector\nGeneral (OIG) contracted with               e-mail servers. While these actions were positive, the FDIC\nInternational Business Machines (IBM)       needed to take additional steps to ensure that security controls\nBusiness Consulting Services to audit       for the e-mail infrastructure provided adequate confidentiality,\nand report on the effectiveness of          integrity, and availability of information.\nsecurity controls over the FDIC\xe2\x80\x99s\nelectronic mail (e-mail) infrastructure.\nThe results of this audit support the       Recommendations and Management Response\nOIG in fulfilling its evaluation and\nreporting responsibilities under the        IBM recommended that the FDIC:\nFederal Information Security\nManagement Act of 2002.\n                                                   \xe2\x80\xa2   take additional measures to ensure that users\nThe FDIC uses e-mail to conduct much                   encrypt e-mail communications when appropriate;\nof its official business and share                 \xe2\x80\xa2   strengthen technical security controls over the\nsensitive information such as open                     e-mail infrastructure;\nbank data, contract negotiations,                  \xe2\x80\xa2   improve the vulnerability scanning process for\npersonnel data, and legal matters.                     e-mail servers; and\nE-mail servers are one of the most                 \xe2\x80\xa2   strengthen controls for ensuring that electronic\nfrequent targets of attacks. In addition,              records, including e-mails, are retained when\ne-mail messages and their attachments\n                                                       employees leave the Corporation.\nhave proven to be effective in\nintroducing viruses, worms, and other\ntypes of malicious code into networks.      The Corporation\xe2\x80\x99s response adequately addressed our\nTherefore, e-mail servers and related       concerns.\ninfrastructure components must be\nproperly secured.                           This report addresses issues associated with information\n                                            security. Accordingly, we have not made, nor do we intend to\nThe objective of the audit was to           make, public release of the specific contents of the report.\nevaluate the adequacy of security\ncontrols over the FDIC\xe2\x80\x99s e-mail\ninfrastructure that were designed to\nensure the appropriate confidentiality,\nintegrity, and availability of\ninformation. As part of the audit, IBM\nevaluated the FDIC\xe2\x80\x99s management,\noperational, and technical security\ncontrols related to the e-mail\ninfrastructure for consistency with\nfederal standards and guidelines.\n\x0c'